UPDATE: OWASP Dependency-Check 3.1.0

My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.1.0! This release comes with production ready Node and NSP analyzers!

What is OWASP Dependency-Check?

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. It can currently be used to scan Java and .NET applications to identify the use of known vulnerable components with experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications. Additionally, OWASP Dependency-Check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.

OWASP Dependency-Check 3.1.0 Changelog:

Enhancements

Major enhancements to the Node and NSP analyzer – the analyzers are now considered production ready and should be used in combination.

Added a shutdown hook so that if the update process is interrupted while using an H2 database the lock files will be properly removed allowing future executions of ODC to succeed.

UNC paths can now be scanned using the CLI.

Batch updates are now used which may help with the update speed when using some DBMS instead of the embedded H2.

Upgrade Lucene to 5.5.5, the highest version that will allow us to maintain Java 7 support.

Bug fixes

Fixed the CSV report output to correctly list all fields.

Invalid suppression files will now break the build instead of causing ODC to skip the usage of the suppression analyzer.

Fixed bug in Lucene query where LARGE entries in the pom.xml or manifest caused the query to break.

General cleanup, false positive, and false negative reduction.

Also, Dependency-Check 3.0.1 & 3.0.2 were released sometime ago. Database connection issue that affected some usages and query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail was updated.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!